Like a key under a door mat, the MAC address exposed here allows hackers to tamper with this Internet-connected RuggedCom device, used to control power substations and other criticial infrastructure.

In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you'd think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there's a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise.

That's because equipment running RuggedCom's Rugged Operating System has an undocumented account that can't be modified and a password that's trivial to crack. What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

"You treat these embedded appliances as a device that you don't have a window to see into," says researcher K. Reid Wightman of industrial machinery, which is often designed to withstand extreme heat and cold, dust, and other brutal conditions where they're housed. "You can't really patch it. You have to rely on the vendor to do the right thing when they set the device up and when they install the OS. And the vendor really fell down on this one."

The backdoor uses the login ID of "factory" and a password that's recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script, according to this post published on Monday to the Full Disclosure security list. To make unauthorized access easy, paying customers of the Shodan computer search engine can find the IP numbers of more than 60 networks that use the vulnerable equipment. The first thing users who telnet into them see, as the picture above demonstrates, is its MAC address.

Like a router plugged into a utility's power grid

Equipment running the Rugged Operating System act as the switches and hubs that connect programmable logic controllers to the computer networks used to send them commands. They may sit between the computer of a electric utility employee and the compact disk-sized controller that breaks a circuit when the employee clicks a button on her screen. To give the equipment added power, Rugged Operating System is fluent in the Modbus and DNP3 communications protocols used to natively administer industrial control and SCADA, or supervisory control and data acquisition, systems. The US Navy, the Wisconsin Department of Transportation, and Chevron are just three of the customers who rely on the gear, according to this page on RuggedCom's website.

"As a citizen and based on the customer list on their website, I know for a fact that I personally depend on this equipment every day in some way," said Justin W. Clarke, the author of the full-disclosure advisory who said he notified company officials of the backdoor 12 months ago. "The equipment is so widely installed that it would be logical to assume that something I'm doing—whether it's riding a train, using power, or walking across a cross walk—depends on this."

RuggedCom representatives didn't respond to a request for comment. This article will be updated if a response is received after its initial publication.

According to a timeline included in Clarke's advisory, RuggedCom officials earlier this month stated "they need another three weeks to alert their customers, but not fix the vulnerability." Working with the US Computer Emergency Response Team, Clarke said he sought additional information, but RuggedCom never responded.

The hardcoded backdoor can be opened when users access affected devices using telnet, remote shell, or a serial console. The best defense against attacks that exploit the vulnerability is a layered approach that includes isolating devices from the Internet altogether as well as disabling or blocking telnet and remote shell access through network filters or firewalls, Clarke said.

An independent security researcher in San Francisco, Clarke told Ars he has grown so concerned about the lack of security in industrial control systems that he's taken to ordering used gear hawked on eBay to see what kinds of vulnerabilities he can find in it. He said he spotted the Rugged OS backdoor with little trouble by analyzing an image of the RuggedCom firmware.

"It is esoteric, it is obscure, but this equipment is everywhere," he said. "I was walking down the street and they had one of the traffic control cabinets that controls stop lights open and there was a RuggedCom switch, so while you and I may not see it, this is what's used in electric substations, in train control systems, in power plants and in the military. That's why I personally care about it so much."

This article was updated to remove identifying information included in the image.

50 Reader Comments

When will they ever learn? Not the vendors, the people who buy this junk. Twenty years ago I was including the following language in systems contracts for a large healthcare organization:

"No Undisclosed Access: Vendor represents and warrants that the software as delivered, and as maintained during the term of this agreement, contains no login procedure, user ID, access code, or means of gaining access to any function of the software which is not described in the documentation delivered with the software. Vendor will provide all information necessary for [redacted] to change any and all passwords or other facilities for gaining access to any function of the software."

Anyone who buys software with a vendor-installed back door and no contractual recourse needs to be replaced by someone competent.

Edit: Feel free to borrow the above language, but run it by your lawyers; it's 20 years old.

.. Justin W. Clarke, the author of the full-disclosure advisory who said he notified company officials of the backdoor 12 months ago....RuggedCom officials earlier this month stated "they need another three weeks to alert their customers, but not fix the vulnerability."

Let me translate that:

Justin: Ah, you guys have a hard-coded backdoor in your device, which I hackedRuggedCom: Oh, thanks for the information, we'll get on that[12 months pass]Justin: Have you guys fixed this yet?RuggedCom: *shit, we thought he'd forget about this!* "Ah, we need 3 more weeks to rap this up!"

Regardless of the huge issue with a hard-coded admin account on this hardware -- why in the hell is it not behind a firewall accessible only through a secured VPN connection?

- These controllers shouldn't be reachable from the Internet. The example given here is hanging right off a cable modem, ferchrissakes! (Ars really should have redacted the IP address, if that thing is still up I bet you people are having a lot of fun with it. FYI, the photo credit links to a different pic... did you mean to put that screenshot up?)

- Factory backdoors should require physical access. If this was only from the serial console, fine, great recovery feature. Not so much when you can telnet right into it. At least give us a jumper or DIP switch so this kind of thing can disabled when it's not needed.

- As bob.brown pointed out, this kind of thing absolutely needs to be disclosed.

If you go into many of the catalogs and websites for PLC and RTU equipment, the fact that the devices have modem connections and respond to Telnet connections are touted as FEATURES!

Usually they will also support SMNP, a lot of them have internal Web servers that allow control functionality. I haven't found a single device that doesn't have a default admin user name and password but very few that allow the default to be shut off. Most of the devices allow the system to be remotely reset with the admin logon. That in itself is a no-brain way to disrupt systems without knowing a single thing about what the PLC is connected to or programmed to do.

It doesn't stop with Siemens or ABB but every manufacturer out there has Internet capable devices that are sold typically for the remote access capability. Also most of them have no IPv6 capabilities. SO at best once the net goes v6, they'll need address translation to work. My guess is that somebody in those companies has already readied a network address translation device to plop down on the network connection. That will be our last chance to improve security until an Internet 911 event occurs.

As an IT professional who has to deal with utilities and the Government, I can attest it's worse than it seems. The people who make the decisions have no idea of the technical aspects they are missing. I've been in situations that are, in the light of a technology standpoint, that can only be described as absurd.

Example: In receiving a certification for security related work I was told point blank that a certain government organization absolutely does not recognize DOD standards for data destruction. Nothing short of physical destruction of media was to be accepted. IE: Can't overwrite drives with layers of psudorandom data to eradicate information, only physical destruction was allowed. In essence, any equipment I issued to a certain project I had to write off the hard drive if I was going to recover assets later.

The conversation moved to how secure our printers were. We showed them, in this case, the Xerox certification of immediate image overwrite that they provide (at a cost) on their production printers. It was signed off as secure, and we moved on.

The stunning part is there is NO difference in the two situations. It was just government Mooks signing off a piece of paper that they no real understanding of. I don't see this changing any time soon.

These controllers shouldn't be reachable from the Internet. The example given here is hanging right off a cable modem...[snip]

Yup, there's a RuggedCom controller at that address, or at least something that gives the splash screen in the photo. I'm guessin' (and hoping!) that this is Justin Clarke's research machine, and not something that's in production. (Nope, I didn't run the password cracker and try logging in. That might be {gasp} illegal, depending upon where the machine is physically located.)

These controllers shouldn't be reachable from the Internet. The example given here is hanging right off a cable modem...[snip]

Yup, there's a RuggedCom controller at that address, or at least something that gives the splash screen in the photo. I'm guessin' (and hoping!) that this is Justin Clarke's research machine, and not something that's in production. (Nope, I didn't run the password cracker and try logging in. That might be {gasp} illegal, depending upon where the machine is physically located.)

Bob.Brown. The splash screen shown in the photo came from an IP address returned by Shodan. Whatever it may be, it is *not* Clarke's research machine.

These controllers shouldn't be reachable from the Internet. The example given here is hanging right off a cable modem...[snip]

Yup, there's a RuggedCom controller at that address, or at least something that gives the splash screen in the photo. I'm guessin' (and hoping!) that this is Justin Clarke's research machine, and not something that's in production. (Nope, I didn't run the password cracker and try logging in. That might be {gasp} illegal, depending upon where the machine is physically located.)

Bob.Brown. The splash screen shown in the photo came from an IP address returned by Shodan. Whatever it may be, it is *not* Clarke's research machine.

Wasn't this the first alert security experts (and our government) pushed out after 9/11? Critical infrastructure is vulnerable to both physical and electronic attack, and most of it isn't hardened in any way?

It's shocking to me that a decade after we were supposed to have been alerted to these kinds of issues as a nation that companies still aren't taking them seriously.

In all seriousness, if traditional terrorist groups don't take advantage of information like this, it's only a matter of time until Anon or the like decides hacking these is in the interests of one of their fights.

These controllers shouldn't be reachable from the Internet. The example given here is hanging right off a cable modem...[snip]

Yup, there's a RuggedCom controller at that address, or at least something that gives the splash screen in the photo. I'm guessin' (and hoping!) that this is Justin Clarke's research machine, and not something that's in production. (Nope, I didn't run the password cracker and try logging in. That might be {gasp} illegal, depending upon where the machine is physically located.)

Bob.Brown. The splash screen shown in the photo came from an IP address returned by Shodan. Whatever it may be, it is *not* Clarke's research machine.

So, you ( meaning Ars ) have no idea what that IP is connected to, and yet you are displaying it, along with information about how its hackable? Yes, of course, its public knowledge already, but in a day where people are being extradited for merely posting a link to a link to a torrent of * insert popular media item here *, Ars is being rather adventurous.

@cdclndc, stupidity and blind bureaucracy is half the problem. The other half is the people that do know better, but they could give a shit because it affects their bottom line. Doing it right is too expensive when your bonus is at risk. Fuck all else, including the nuclear power plant down the street from a few million families.

So, you ( meaning Ars ) have no idea what that IP is connected to, and yet you are displaying it, along with information about how its hackable? Yes, of course, its public knowledge already, but in a day where people are being extradited for merely posting a link to a link to a torrent of * insert popular media item here *, Ars is being rather adventurous.

The cat's out of the bag. You want to do something productive now? The block the IP is in belongs to Clearwire. Give them a ring, ask to speak to security, tell them what's going on and that they might want to contact the customer about the situation. The worst they can say is "no, we can't do that".

These controllers shouldn't be reachable from the Internet. The example given here is hanging right off a cable modem...[snip]

Yup, there's a RuggedCom controller at that address, or at least something that gives the splash screen in the photo. I'm guessin' (and hoping!) that this is Justin Clarke's research machine, and not something that's in production. (Nope, I didn't run the password cracker and try logging in. That might be {gasp} illegal, depending upon where the machine is physically located.)

Bob.Brown. The splash screen shown in the photo came from an IP address returned by Shodan. Whatever it may be, it is *not* Clarke's research machine.

Wait, what?? You don't even know whose IP that is or what it controls?!? Then redact it for crying out loud! I'd think reporting about a security vulnerability, and then publishing a specific machine to go try it on would set you up for some huge liability!

I was just trying to be helpful and do the 30 seconds of research required to find the person you should notify. *shrugs*

No good deed goes unpunished. I included the IP address, now redacted from the screen shot, in my message to the Michigan State Police. Assuming they do anything at all about my message, they'll be able to find the same information easily. And, if they don't do anything, well, we tried. (They also have my email address and phone number in case they're moved to act, but I've somehow been unclear.)

If you want to discuss the location of the device in the screenshot or make nefarious plans, do it elsewhere. Any further discussion of the location will be moderated and Official Warnings will be handed out.

Ya, That was a real device that was live "somewhere"..... going by what it is called. Not gonna talk about it since everything got redacted.

Don't wanna scare you,but actually the crack team at Ars dispatched several units to redact you and SupaFly... permanently.

On-topic (sorta) - I do wonder one thing - why even risk having such mission critical equipment connected to the internet? No offence,but as there is no such thing as an impenetrable security system,having those facing the general .Net population is a rather severe security risk which should override any other consideration

On-topic (sorta) - I do wonder one thing - why even risk having such mission critical equipment connected to the internet? No offence,but as there is no such thing as an impenetrable security system,having those facing the general .Net population is a rather severe security risk which should override any other consideration

It makes sense to connect remote monitoring and control systems through, for example, inexpensive and sufficiently-reliable 3G or LTE networks, which of course means the Internet. Why pay thousands of dollars for a dedicated line just to connect a small bank of sensors and switches? We're talking about pipelines, railroads, transmission controls, and other equipment strewn hundreds of miles across the country. Retail cable modems, DSL, and wireless all make sense.

But when you do that, of course, you make sure everything is secured against known and unknown attacks. VPNs, SSL, SSH, firewall rules, and all the other usual stuff should apply here. A $30 wired-only router off the shelf would be sufficient. So that bit is alarming.

And in this case, even if everything else had been done right, username 'factory' password 'hash of mac address' could undermine the whole objective.

Bob - Great bit of language. I'm adding that to my vendor agreements from now on.

It makes sense to connect remote monitoring and control systems through, for example, inexpensive and sufficiently-reliable 3G or LTE networks, which of course means the Internet. Why pay thousands of dollars for a dedicated line just to connect a small bank of sensors and switches? We're talking about pipelines, railroads, transmission controls, and other equipment strewn hundreds of miles across the country. Retail cable modems, DSL, and wireless all make sense.

But when you do that, of course, you make sure everything is secured against known and unknown attacks. VPNs, SSL, SSH, firewall rules, and all the other usual stuff should apply here. A $30 wired-only router off the shelf would be sufficient. So that bit is alarming.

And in this case, even if everything else had been done right, username 'factory' password 'hash of mac address' could undermine the whole objective.

Bob - Great bit of language. I'm adding that to my vendor agreements from now on.

By 'makes sense' you mean it's more convenient and expedient and I agree with that assessment.HOWEVER, when we're talking about critical infrastructure and services I believe that 'secure by design' outweighs the relatively trivial (compared to the overall US budget or hell - even the money wasted on bribing other countries *cough* Pakistan/Afghanistan *cough* to sorta behave) additional costs associated with running secure intranets completely isolated from the web (a bonus of such compartmentalization is that a viral attack a-la Iran would be rendered ineffective) . I know it's paranoid, but you just can't risk someone penetrating the power grid for example and cause a cascading blackout across part of the US ... or worse. A good analogy is the strategic arsenal maintained by the US - it's rather more convenient to store it at one or 2 places and scrap stuff like the two man rule,because it just duplicates personnel and increases operating costs,but the DoD goes for a dispersal of both conventional and nuclear assets so a single strike can't cripple the entire arsenal and keeps the two man rule so a single rogue element can't do unimaginable harm